Anti-bribery and corruption (ABC) risk assessments are the cornerstone of an effective compliance programme, ensuring that compliance resources are focused on the most significant ABC risks faced by the business. A genuinely risk-based compliance programme helps to achieve both the primary objective of a compliance programme (preventing ABC issues occurring), the secondary objective (providing a potential defence to liability or otherwise a plea in mitigation where ABC issues do arise) – and where relevant, meeting any applicable regulatory requirements (e.g. to maintain financial crimes systems and controls).
The consistent message from enforcement authorities around the world is that an ABC compliance programme needs to be demonstrably risk-based, i.e. designed, implemented and enhanced on an ongoing basis in line with a detailed, documented and ongoing risk assessment. It is important that different authorities’ expectations in relation to risk assessments are read together – not only because companies are increasingly facing coordinated enforcement action, but also because in practice the assessment of a compliance programme by authorities in one jurisdiction is likely to be informed by guidance in other jurisdictions; in particular the detailed DOJ guidance updated in June 2020 (US Guidance). Our blog on the key aspects of the US Guidance can be found here.
We consider below the four key steps in conducting an effective risk assessment.
- Agreeing the risk assessment process
As a first step, consider how the risk assessment will be conducted, who will conduct it/have ultimate responsibility for it (and whether external expertise should be called upon), what data is needed to conduct the risk assessment, and how the process will be documented. It is important to make sure the process has sufficient senior level support, and that the scope of the risk assessment is carefully defined (e.g. which entities/jurisdictions it includes, whether it will be combined with risks beyond ABC, and how it will feed into the overall enterprise risk management (ERM) process).
Risk assessments should be an ongoing process, but there is also value in periodically taking a step back and reviewing the risk assessment afresh. Simple tweaks over time may not be sufficient if the overall programme is not effectively designed – or if the business has fundamentally changed since the programme was put in place.
When planning a risk assessment, care should be taken to ensure that it will address the specific expectations of all relevant authorities that could have jurisdiction over the company. For example, the US Guidance emphasises that risk assessments should be continuous (whereas UK guidance refers to “periodic” risk assessments) and states that in order to conduct continuous risk assessments compliance teams should have “continuous access to operational data and information across functions” and review issues faced by peer companies. The guidance by the French AFA, meanwhile, provides a list of specific questions to consider in relation to risk assessments and states that a risk assessment should be complete, formalised and evolutive, assessing risks periodically and in particular, whenever a significant element of the organisation changes.
- Risk mapping
Risk mapping can be approached in a number of different ways, but it is important that the process is not generic, i.e. that it does not just consider the types of risks typically faced by a company in a particular sector/geographies. In addition, companies should also consider the risks and compliance issues they have faced previously or currently face. Key steps include:
- Getting structured input about ABC risks from those in the company who are in the highest risk positions (sales, those dealing with government officials, managing agents etc.).
- Understanding what ABC issues the company has previously faced – and what the root causes of those issues were/whether controls weaknesses were identified, what remediation was undertaken and whether there are any outstanding remediation steps.
- Carefully researching what ABC issues other companies in the sector have faced, or which exist in higher risk jurisdictions the company operates in.
- Considering recent and upcoming events that may impact on the risk assessment (e.g. an acquisition/new joint venture; a move into a new business area or geography).
- Carefully recording the risk-mapping process, including the data analysed.
- Residual risk analysis
Once the risks have been mapped, it is important to assess where the greatest residual risks (both in terms of severity and likelihood) arise by assessing the extent to which the ABC compliance programme mitigates the risks identified. Ideally, this will be by reference to a review of the effectiveness of the compliance programme, including financial controls. The residual risk analysis will ultimately help the company to focus its resources on enhancing the programme where it is most needed.
In our experience, one of the greatest residual risks will usually be third parties (in part because the actions of third parties are outside the direct control of the company). Indeed, a very high proportion of ABC related enforcement action to date has concerned third party conduct.
- Enhancing your compliance programme to deal with your key residual ABC risks
The final step is making sure that necessary enhancements/resource allocations are made to mitigate the residual risks identified, and ensuring that this is done expeditiously. Points we would recommend considering at this stage include:
- Maintaining a tracker of changes to the risk assessment, summarising when changes were made, who approved them, why they were made, and details of the changes to be made to the compliance programme as a result (including ownership and timelines).
- Ensuring that the highest risk enhancements are prioritised, but also keeping a record of what the company is designating as low risk and why (i.e. areas to which less resource is being allocated).
- Not only dedicating more resource to higher risk areas, but also within those areas. For example, in the third party context, greater management time and financial resource should be allocated to high risk third parties.
Do you want to learn more?
The latest webinar in our ABC compliance webinar series, Risk assessments and the expectations of global authorities – what this means for businesses, will be held on 18 March 2021. You can register to attend this session here.